Throttling cpu utilization by implementing a rate limiter

ABSTRACT

An approach for a hypervisor to throttle CPU utilization based on a CPU utilization throttling request received for a data flow is presented. A method comprises receiving a request for a CPU utilization throttling. The request is parsed to extract a CPU utilization level and a data flow identifier of the data flow. Upon receiving a data packet that belongs to the data flow identified by the data flow identifier, a packet size of the data packet is determined, and a rate limit table is accessed to determine, based on the CPU utilization level and the packet size, a rate limit for the data packet. If it is determined, based at least on the rate limit, that the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination, then a recommendation is generated to drop the data packet.

BACKGROUND

Managing data traffic communications exchanged along datapaths is usually performed in a best-effort mode. In the best-effort mode, CPU resources are provisioned for processing data flows based on the resources' availability. Therefore, it is possible in this mode that the data flows that communicate at high rates may absorb all CPU resources. This in turn, may prevent other applications or workloads, such as guest virtual machines and system processes and threads that execute on the same physical server, from receiving required CPU resources for some time.

The situation may become even more problematic when a distributed network encryption (DNE) mechanism is enabled on datapaths. Due to the high CPU cost required to encrypt and decrypt data packets along the datapaths, the data traffic that requires the DNE may consume all CPU resources, and leave no CPU resources for executing guest virtual machines and system processes/threads. This may delay or even stall execution of those processes and threads.

In some situations, impeding the execution of guest virtual machines and system processes/threads may slow down the processing of time-sensitive data traffic that may be deadlocked as it waits for the system processes/threads to complete their tasks. Unfortunately, the best-effort mode does not provide sufficient mechanisms for reducing the amount of CPU resources already allocated to the data traffic to allow other applications or workloads, such as guest virtual machines, to receive the CPU resources.

SUMMARY

Techniques are described herein for throttling CPU utilization by data flows in a computer virtual network. The throttling of the CPU utilization is initiated in response to receiving a CPU throttling request, also referred herein as a request. The request may be received from a user or an administrator who executes for example, a virtual machine that generates data traffic in the virtual network, but who requests less than 100% of the CPU resources for the processing of the data traffic so that other tasks and applications can also receive some of the CPU resources.

A CPU throttling request may be received by a hypervisor. Alternatively, the request may be received by a control plane first, and then communicated from the control plane to the hypervisor.

In an embodiment, a request received from a user or an administrator may specify a desired CPU utilization level for processing data traffic. Typically, the desired CPU utilization level included in the request will be less than 100% so that the remaining CPU resources (not allocated to the traffic processing) may be allocated to other tasks and applications.

A request may also include a data flow identifier of the data flow to which the request is to be applied. The data flow identifier may specify that all data processed at the host is throttled according to the desired CPU utilization level. Alternatively, the data flow identifier may specify a particular VM for which all data processed at the host that is generated by or is directed to the particular VM is throttled according to the desired CPU utilization level. Finally, the data flow identifier may be a destination MAC address of data packets that belong to the data flow. The desired CPU utilization level included in the request may be applied to all data packets that belong to the data flow, and a hypervisor will guarantee no more than the desired CPU utilization level for processing the data packets that belong to the data flow.

To guarantee a desired CPU utilization level for processing data traffic, the hypervisor determines, on a per-packet-basis, whether a packet is to be dropped or accepted and thus transmitted to its destination. For example, if transmitting a detected data packet toward its destination would require exceeding the desired CPU utilization level requested by the user or the administrator for the data flow, then a hypervisor may recommend dropping the packet. Otherwise, the data packet may be transmitted toward its destination.

However, if a user or an administrator sent a request that specifies a desired CPU utilization level for a data flow as 100%, or if the user or the administrator did not send a CPU utilization request for the data flow at all, then the CPU resources will be assigned for processing traffic in a best-effort mode.

Upon receiving a CPU throttling request, the hypervisor parses the request to extract a CPU utilization level, and a data flow identifier.

Upon detecting a data packet that belongs to the data flow, the hypervisor determines a size of the data packet and whether the data packet is encrypted. Based on the size of the data packet and the CPU utilization level, the hypervisor accesses either a rate limit table for encrypted data packets or a rate limit table for unencrypted data packets.

Based on the packet size, the CPU utilization level, and the information included in the corresponding rate limit table, the hypervisor determines a particular rate limit value for the data packet. Then, the hypervisor invokes and executes a rate limiter function using the particular limit value to determine recommendations for either dropping or accepting the packet. The recommendations are derived by analyzing the content of a so-called bucket associated with the CPU resource dedicated to processing the data flow. The concept of the bucket is described in detail in FIG. 2.

The approach may be implemented along any part of a datapath of the data packet communications. This may include implementing the approach at a point of the datapath that is between a virtual machine and a virtual switch that detects data packets on virtual ports of the switch. This may also include implementing the approach along the datapath that is internally processed by the virtual switch. Furthermore, this may include implementing the approach at a point of the datapath that is between hardware components and a hypervisor that detects data packets on uplinks configured to support communications with a physical network.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 is a block diagram depicting an example system architecture for throttling CPU utilization;

FIG. 2 is an example flow chart for throttling CPU utilization by implementing a rate limiter;

FIG. 3A is a block diagram for determining whether to allocate CPU resources to tasks based on a CPU throttling mode or a default mode;

FIG. 3B is an example flow chart for determining a rate limit in a CPU throttling mode;

FIG. 4 depicts an example rate limit table;

FIG. 5 depicts pseudocode representing an algorithm for determining whether to accept or drop a detected packet based on a current bucket size, an arrival time, a last arrival time, a packet size, and a rate limit.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the method described herein. It will be apparent, however, that the present approach may be practiced without these specific details. In some instances, well-known structures and devices are shown in a block diagram form to avoid unnecessarily obscuring the present approach.

1. Example System Architecture for Implementing a CPU Utilization Throttling

FIG. 1 is a block diagram depicting an example system architecture for implementing a CPU utilization throttling. The depicted system architecture 100 includes one or more hosts 110, and one or more physical networks 190.

Host 110 may include a hypervisor 160, a data repository 150, and other hardware components 175. Hypervisor 160 may include a virtual switch 140 that may provide connectivity to and from one or more virtual machines, such as VM1 120 and VM2 122. Hypervisor 160 may use uplinks 170, 172 to provide connectivity between the virtual machines and physical network 190.

Hypervisor 160 may be configured to execute programmable instructions to implement a CPU utilization throttling. For example, hypervisor 160 may be configured to receive a CPU throttling request from a user or an administrator who executes for example, a virtual machine or workload that generates or receives data traffic in host 160 or that is affected by another application or workload that is generating or receiving the data traffic. The request may provide a CPU utilization level for the data-traffic-related to executing the virtual machine. It is assumed that the particular CPU utilization level for the data-traffic-related tasks is less than 100% so that non-traffic-related tasks can receive the remaining portion of the CPU resources.

However, if the request specifies the desired CPU utilization level for a data flow as 100%, or if no request has been received for the data flow from a user or an administrator, then hypervisor 160 may assign the CPU resources to the traffic-processing related tasks relying on a best-effort mode. An example decision process for determining whether to use the CPU utilization throttling mode or the best-effort-mode is described in FIG. 3A.

Hypervisor 160 may receive a CPU throttling request directly from a user or an administrator, e.g., by accessing a management portal exported by the hypervisor, or from a control plane (not depicted in FIG. 1). The control plane may comprise one or more controllers (computers that may operate in a cluster) which may receive direction from a management plan, which itself may comprise a user interface accessible by a user or an administrator, or from automated orchestration software. In an embodiment, the throttling request may pertain to the data traffic that is generated by a virtual machine. If the throttling request pertains to the data traffic that is generated by the virtual machine, then the throttling is applied to data packets that are detected by a virtual switch. In another embodiment, the throttling request may pertain to the data traffic that is directed toward a virtual machine. If the throttling request pertains to the data traffic that is directed toward the virtual machine, then the throttling is applied to data packets that are detected by a physical network interface card.

Hypervisor 160 takes the CPU utilization request from the administrator and enforces the traffic processing load not to exceed the specified CPU utilization. For example, if the user or the administrator sent a request for the CPU utilization throttling for communications transmitted from his virtual machine to VM2 122, then upon receiving the request, hypervisor 160 will throttle the CPU allocation for processing data traffic based on the CPU utilization level included in the request. Specifically, hypervisor 160 will extract the CPU utilization level from the request, and use the CPU utilization level, along with the size of the packet being processed, to determine a rate limit. The rate limit function is then placed and being executed on the entrance into Tx data path (vNIC in the sending host) and into Rx data path (pNIC in the receiving host). Based on the decision (ACCEPT or DROP) made by the rate limit function, the packet will be accepted into or dropped from the data path processing.

Hypervisor 160 may determine a rate limit for the data flow once a data packet of the data flow is detected. The packet may be detected at any endpoint of a datapath 111 used to communicate the data flow. The rate limit is determined based on for example, the CPU utilization level extracted from the CPU throttling request, a size of the detected data packet, and determining whether the detected packet is encrypted or not. Details of determining the rate limit are described in FIG. 3B.

Hypervisor 160 uses the rate limit to determine, based on a per-packet-basis, whether the detected packet is to be dropped or transmitted toward its destination.

For example, upon receiving a CPU throttling request from a user or an administrator, hypervisor 160 determines a data flow to which the request pertains, extracts the CPU utilization level value from the request, and uses the CPU utilization level value to determine a rate limit that is required to provide no more than the requested CPU utilization level for processing the data flow.

Hypervisor 160 may compute a rate limit using different approaches. The process of computing the rate limit may depend on whether data packets communicated within a data flow for which the CPU throttling request was issued are encrypted or not. Examples of computing the rate limit for encrypted data packets are described in FIG. 4. Once the rate limit is determined, hypervisor 160 executes a rate limiter.

A rate limiter is a computer program or a computer function that is configured to manage an abstract bucket associated with the CPU dedicated to the handle the data flow for which the request was issued. The rate limiter may be implemented in hypervisor 160 or in a library of functions available to hypervisor 160.

A bucket is an abstract data structure associated with a CPU resource. It may be managed using a counter that is originally initiated with a default count of tokens, and then either decreased or increased as data packets of the data flow are processed using the CPU. An example process of managing the bucket is described in FIG. 2.

In an embodiment, hypervisor 160 executes a rate limiter to generate a recommendation on whether to drop or accept a detected data packet that belongs to the data flow for which a CPU throttling request was received from a user or an administrator. The rate limiter may generate a recommendation to drop the data packet when the processing of the data packet would have placed too heavy demands on the CPU to maintain the requested CPU utilization level. If the data packet is dropped, then no additional demands are placed on the CPU. Thus, the CPU utilization may remain at, or below, the CPU utilization level specified in the request.

On the other hand, the rate limiter may generate a recommendation to accept the data packet when the utilization of the CPU dedicated to processing the data packet will remain below, or at, the CPU utilization level specified in the request. An example process executed by the rate limiter is described in FIG. 2

To determine whether a received data packet is to be accepted or dropped, hypervisor 160 may use not only the information included in the CPU utilization throttling request, but also data stored in for example, a data repository 150. Data repository 150 may store data tables 203 for computing rate limits for unencrypted data packets, data tables 204 for computing rate limits for encrypted data packets, a bucket capacity value 205, a last arrival time 206, a current bucket size 207, and a hyperlink for a rate limiter function 208. The data stored in data repository 150 is described in detail in FIG. 2 and FIG. 3B.

Hypervisor 160 may use an uplink UP1 170 and an uplink UP2 172 to provide connectivity between virtual switch 140 and physical network(s) 190. An uplink is a virtual port of the virtual switch that connects to a physical Ethernet adapter.

Virtual switch 140 may be configured to monitor and manage data traffics that are communicated to and from hypervisor 160. Virtual switch 140 may be implemented as a kernel component of hypervisor 160, or as an entity that is separate from hypervisor 160, but that communicates with hypervisor 160.

Virtual switch 140 may be configured to detect, on a virtual port VP1 130 and a virtual port VP2 132, outgoing (egress) data packets received from VM1 120 and/or VM2 122, respectively. Implementations of virtual switch 140 may vary and may depend on a type of product in which the switch is deployed as a virtualization medium. For example, virtual switch 140 may be implemented as part of hypervisor 160, as it is depicted in FIG. 1. Alternatively, although not depicted in FIG. 1, a virtual switch may be implemented within user space, or within a privileged virtual machine that has exclusive control over physical resources such as PNICs 180, 182.

FIG. 1 depicts that host 110 hosts virtual machines VM1 120 and VM2 122. However, host 110 may host any number of virtual machines. VM1 120 and VM2 122 may be instantiated as virtualized computing instances. The instances may be equipped with their own resources, may be assigned their own workloads, and may be configured to perform their own tasks. Virtual resources allocated to the virtual machines may include virtual CPUs, virtual memory, virtual disks, virtual network interface controllers and the like. VM1 120 and VM2 122 may be configured to execute guest operating systems and guest applications.

Hardware components 175 may include hardware processors, memory units, data storage units, and physical network interfaces such as network interface controllers (a PNIC 180 and a PNIC 182) that may provide connectivity to routers and switches of physical networks 190.

Physical networks 190 may include local area networks and/or wide area networks, and may utilize various hardware and software configurations. For example, physical networks 190 may include one or more routers, one or more switches, one or more switch ports, and other data communications and processing components.

2. Example Rate Limiter

A rate limiter is a function executed by a hypervisor to determine, based on a rate limit set for processing data packets, whether to drop or accept a data packet. A rate limiter may be implemented as a software-based function that is invoked for each data packet, or some plurality of data packets, of the data flow detected by hypervisor 160 along a datapath and for which hypervisor 160 received a CPU throttling request.

Upon receiving a CPU throttling request, hypervisor 160 extracts, from the request, a data flow identifier for the data flow and a CPU utilization level desired for the data flow. Hypervisor 160 uses the extracted information and the data stored in data repository 150 to determine a rate limit for processing a detected data packet that belongs to the data flow. The rate limit is determined periodically, or each time a data packet of the data flow is detected. Since the packets of the same data flow may have different sizes, and the rate limit depends, among other things, on a size of the packet, the rate limiter may determine a rate for each detected packet individually. Based on at least the rate limit, the rate limiter determines a recommendation whether to drop or accept the detected packet. Examples of computing a rate limit are described in FIG. 4.

An output of the rate limiter is a recommendation for hypervisor 160 to either accept or drop the detected data packet to guarantee that no more than the desired data processing CPU utilization level, requested for the data flow in the CPU throttling request, is maintained for processing the data flow.

A recommendation may state that the detected data packet is either to be accepted, or to be dropped. For example, if the rate limiter determines, based on the rate limit, that the desired CPU utilization level for the data flow would be exceeded if the data packet is accepted, then the rate limiter generates a recommendation to drop the data packet. However, if the rate limiter determines, based on the rate limit, that the desired CPU utilization level for the data flow would not be exceeded if the data packet is transmitted toward its destination, then the rate limiter generates a recommendation to accept the data packet and the data packet is transmitted toward its destination.

3. Example Bucket

To throttle CPU resources according to a CPU throttling request received from a user or an administrator, a rate limiter may implement a concept of a token bucket rate limiter.

A token bucket is a data structure used to store a count of tokens, which may vary from time to time. In one embodiment, the count of tokens indicates availability of a CPU resource dedicated to processing the user's or the administrator's data flow at a given time.

The token count is managed to determine whether to drop or accept a data packet detected along a datapath. A count of tokens is used to determine whether a detected data packet, that belongs to the data flow for which a CPU throttling request was issued, is to be dropped or accepted. To accept a detected data packet that has a particular size, the bucket needs to have a sufficient count of tokens. In one embodiment, a token in the bucket corresponds to processing 1 byte of data by a CPU.

A bucket may be initiated with a default count of tokens. The default count of tokens may be determined heuristically, or experimentally based on experiments conducted for various data traffics.

To accept a detected data packet, a token bucket associated with the CPU processing the data packet needs to contain a sufficient count of tokens. The detected data packet is accepted only if there is a sufficient count of tokens in the bucket to process the data packet, and if the processing of the data packet will not cause exceeding a CPU utilization level specified in a CPU throttling request. For example, to process a data packet that has a size of 512 bytes and to maintain a 1 bytes/μsec processing rate as the packet is processed, the bucket associated with the CPU dedicated to processing the data packet needs to have at least 512 tokens.

A bucket described herein permits some packet burstiness because the token bucket allows processing a burst of the data packets as long as the bucket contains a sufficient count of tokens to process the packets.

Tokens may be subtracted from a bucket. Suppose that, at the time a data packet was detected along a datapath, the bucket stored 1000 tokens. Suppose also that a size of the detected data packet is 512 bytes. Then the bucket has enough tokens to recommend accepting the packet because the difference between 1000 and 512 is positive. Once the recommendation to accept the packet is conveyed to hypervisor 160, a count of tokens stored in the bucket is reduced by 512 because 512 tokens are required to process the packet. Therefore, upon recommending accepting the packet, the count of tokens in the bucket is reduced.

However, in some situations, a bucket may not have enough tokens to recommend accepting the data packet. This may happen when a difference between a count of tokens stored in the bucket and a size of the data packet is negative. In such a situation, a recommendation is generated to drop the packet, and the count of tokens in the bucket remains unchanged. Details pertaining to managing the bucket and tokens are described in FIG. 2.

Tokens may be added to a bucket periodically at the rate specified by a rate limit. The rate limit is determined based on a CPU utilization level extracted from a CPU utilization throttling request, and based on data included in data repository 150. Once the rate limit is determined, the rate limit is used to determine whether, upon an expiration of some period of time, some tokens may be added to the bucket. Suppose that a rate limit for processing data packets of a particular data flow is 25 bytes/μsec, and the previously accepted data packet of the particular data flow was accepted 2 μseconds ago. Then, it may be assumed that about 50 bytes (i.e., 25*2 seconds) of the previously accepted data packet has been already processed. Therefore, 50 tokens (25*2 seconds) may be added to the token bucket.

In an embodiment, a bucket has an associated parameter called a bucket capacity. The bucked capacity indicates the maximum number of tokens that the bucket may store. The bucket capacity regulates the maximum traffic burst that a rate limiter is able to tolerate. When the token bucket is full at its capacity, no additional tokens are added to the token bucket.

4. Example Flow Chart for Throttling CPU Utilization

FIG. 2 is an example flow chart for throttling CPU utilization by implementing a rate limiter. The steps described in FIG. 2 may be executed by a hypervisor, or by a rate limiter invoked by the hypervisor. In an embodiment, the hypervisor may invoke the rate limiter to generate recommendations whether to drop or accept a data packet. A rate limiter is a computer program or a computer function that is configured to manage the token bucket associated with a CPU resources dedicated for processing data for which a CPU throttling request has been received. The rate limiter is used to generate the packet accept/drop recommendations.

For the purpose of describing the steps depicted in FIG. 2, it is assumed that a CPU throttling request has already been received from a user or an administrator, and that the request is for a data flow generated or received as certain applications are on the host. The CPU throttling request is a request for allocating no more than a certain percentage of the CPU resource for processing the data generated or received at the host. The certain percentage of the CPU resources to be allocated for processing the data is referred to as a CPU utilization level value, and is typically specified in the request.

The CPU throttling request may also include a data flow identifier that identifies the data flow for which the request pertains. The data flow identifier may be a value indicating that all data packet processing is included, a VM identifier that indicates all data packet processing for packets issuing from and directed to a particular VM is included, or a destination MAC address indicating that data packets matching the destination MAC are included in the throttling.

In step 210, a data packet is detected at a certain point along a datapath at an arrival time. Detecting a data packet may be interpreted as observing the data packet at a certain point along the datapath that is used to communicate data packets of the data flow for which a CPU throttling request has been received. For example, a hypervisor may detect a data packet at a virtual port of a virtual switch along a portion of the datapath that is between a virtual machine and the virtual switch. This may also include detecting a data packet along the datapath that is internally processed by the virtual switch. This may further include detecting a data packet at an uplink configured to support communications between the hypervisor and a physical network.

An arrival time is the time at which the data packet is detected at a certain point along the data path. The arrival time for the data packet is recorded or otherwise associated with the data packet.

In step 220, a hypervisor determines a packet size of the detected data packet. This may be accomplished by processing a header of the packet, identifying a payload length in the header, and determining the packet size as a sum of a length of the packet header and the payload length. For the purpose of explaining the rate limiter function, the packet size will be equated to a count of tokens that are required to accept the packet and transmit the packet toward its destination.

Also in this step, the hypervisor determines a rate limit for the detected data packet. A rate limit for a detected data packet indicates an amount of data that a CPU dedicated to process the data packet can process within a certain time interval. An example of the time interval is one second. A rate limit may be determined based on a CPU utilization level included in the CPU throttling request received from a user or an administrator, a size of the packet, and whether the packet is encrypted.

A CPU utilization level value indicates a CPU utilization level that is desired by a user or an administrator for processing the data flow generated by executing for example, a virtual machine. The CPU utilization level value corresponds to the throttling level that the hypervisor will attempt to provide, but that will not be exceed. Indeed, it is possible that the hypervisor will provide less than the CPU utilization level to the user's or the administrator's data flow. This may allow assigning the remaining amount of the CPU resource to non-traffic-related applications and/or system processes and tasks.

In step 230, the hypervisor determines whether an abstract bucket associated with the CPU dedicated to processing the administrator's data flow includes a sufficient count of tokens for processing the detected data packet. This may include comparing an adjusted current bucket size with the size of the detected data packet, and generating a recommendation to drop the packet if the packet size exceeds the adjusted current bucket size, or generating a recommendation to accept the packet otherwise.

An adjusted current bucket size may be determined as a minimum of 1) a capacity of the bucket, and 2) a sum a current bucket size and a count of tokens returned to the bucket between a last arrival time of a previously processed packet and the arrival time of the detected data packet.

A last arrival time is the time when a previous data packet of the data flow was detected, whereas an arrival time is the time when the current data packet of the data flow was detected. The count of tokens returned to the bucket represents a count of tokens that might have been returned to the bucket because a certain count of bits of the previous data packet might have been already processed by the CPU by the arrival time.

For example, suppose that a previous packet was detected at time t₁, had a size of 1024 bytes, and was accepted for processing by the CPU. Furthermore, suppose that a current data packet was received at time t₂, and also has a size of 1024 bytes. Note, however, that the previous packet and the currently detected packet of the same data flow may have different sizes. Moreover, suppose that the rate limit for processing the data packets of the data flow to maintain the requested CPU utilization level is 512 bytes/μsec. Provided that t₁<t₂, t₁=5 μsec, and t₂=7 μsec, the count of tokens that were returned to the bucket at time t₂ is ((t₂−t₁)*rate limit)=(2*512)=1024. The 1024 corresponds to the count of tokens that were returned to the bucket by time t₂. Hence, by the time t₂ when the current data packet is detected, 1024 tokens have been returned to the bucket. Thus, the bucket stores at least 1024 tokens at time t₂.

Suppose that a current size of the bucket before detecting the current data packet at time t₂ was 1024. If, at time t₂, 1024 tokens have been returned to the bucket, then the current size of the bucket at time t₂ is (1024+1024)=2048. That means that the bucket has 2048 tokens at time t₂.

Suppose that a capacity of the bucket is 1 M of tokens. Then, a minimum taken from 1) the current size of the bucket at time t₂, and 2) the capacity of the bucket is 2048 because 2048<1 M. The minimum of 1) the current size of the bucket at time t₂, and 2) the capacity of the bucket is referred to as an adjusted current bucket size.

In step 240, the hypervisor determines whether the packet size of the data packet detected at time t₂ exceeds the adjusted current bucket size determined at time t₂. In the example described above, the adjusted current bucket size at time t₂ is 2048, and the packet size of the data packet detected at time t₂ is 1024 bytes. Thus, the packet size of the data packet detected at time t₂ does not exceed the adjusted current bucket size determined at time t₂.

If in step 250, it is determined that the packet size of the data packet detected at time t₂ exceeds the adjusted current bucket size determined at time t₂, then step 280 is performed. Otherwise, step 260 is performed.

In step 260, the hypervisor reduces the current bucket size by the packet size of the detected data packet.

In step 270, the hypervisor generates and returns a recommendation to accept the detected data packet, and therefore to let the CPU dedicated to processing the data flow to process the detected data packet.

Step 280 is performed if the hypervisor determined that the packet size of the data packet detected at time t₂ exceeds the adjusted current bucket size determined at time t₂. Therefore, the bucket does not have enough tokens at time t₂ to process the detected data packet while throttling the CPU utilization at, or below, the requested CPU utilization level. Thus, in step 280, the hypervisor generates and returns a recommendation to drop the detected data packet, and thus, to omit the processing of the received data packet.

In step 290, the hypervisor updates the last arrival time to the arrival time of the detected data packet. The updating may include overwriting the last arrival time stored in data repository 150 with the arrival time of the detected data packet. Referring again to the above example, the updating may include updating the last arrival time to t₂, which is the time at which the current data packet was detected.

The above approach allows generating recommendations to either accept or drop a detected data packet of the data flow for which a CPU throttling request was received. If the data packet includes n bytes, and if there are less than n tokens in the bucket, then the rate limiter recommends that the detected data packet be dropped because processing the detected data packet would require exceeding the CPU utilization level that a user or an administrator requested for the data flow.

However, if there are at least n tokens in the buckets, then the rate limiter recommends that the detected data packet be accepted because processing the detected data packet would not require exceeding the CPU utilization level that a user or an administrator requested for the data flow.

5. Example Pseudocode for Determining Whether to Accept of Drop a Detected Data Packet

FIG. 5 depicts pseudocode representing an algorithm for determining whether to accept or drop a detected packet based on a current bucket size, an arrival time, a last arrival time, a packet size, and a rate limit. In FIG. 5, it is assumed that a CPU throttling request has already been received from a user or an administrator, and that the request is for a data flow generated as certain applications are executed for the user or the administrator. The CPU throttling request is a request for allocating no more than a CPU utilization level of the CPU resource to the data flow. The algorithm presented in FIG. 5 is designed to determine whether the data packet, which is detected at the arrival time, which has the packet size, and which belongs to the data flow for which the CPU throttling request has been received, is to be accepted or dropped so that the CPU utilization level specified in the CPU throttling request is not exceeded.

The pseudocode described in FIG. 5 is called a Rate limiter function 510, and includes a call to a Rate_Limiter 520 and a set of instructions 530.

Rate_Limiter 520 has several parameters, including a current_bucket_size, an arrival_time, a last_arrival_time, a rate_limit, and a bucket capacity. The parameters correspond to a current bucket size, an arrival time, a last arrival time, a packet size, and a rate limit, respectively. Rate_Limiter 520 returns the current_bucket_size that is computed as a minimum of 1) the current_bucket_size, and 2) the arrival_time−the last_arrival_time)*the rate_limit, the bucket_capacity).

If the current_bucket_size is greater, or equal, to the packet_size, then instructions 540 are performed. Otherwise, instructions 550 are performed.

Instructions 530 are executed if the current_bucket_size is greater, or equal, to the packet_size. Instructions 530 include subtracting the packet_size from the current_bucket_size, and returning a recommendation to accept the detected data packet.

Instructions 540 are executed if the current_bucket_size is lesser than the packet_size. Instructions 540 include returning a recommendation to drop the detected data packet.

After executing either instructions 530 or instructions 540, the last_arrival_time is updated with the arrival_time of the detected packet.

Once the last_arrival_time is updated, the algorithm terminates.

6. Selecting a Default Mode or a CPU Throttling Mode

A default mode may be realized by executing a datapath processing in a best-effort fashion. The default mode is also referred to as a best-effort-mode. That means that when CPU resources are available, a request for packet processing will be served without letting the CPU to be unused.

In contrast, a CPU throttling mode is used to control an upper bound of the CPU resources that can be used to process data packets, so that the remaining portion of the CPU resources may remain available for other application and system processes. The CPU throttling mode may be triggered upon receiving CPU throttling requests from the administrators. in an embodiment, the administrators control whether to turn the CPU throttling mode on, or to turn it off.

An administrator may trigger a CPU throttling mode by issuing a CPU throttling request. The decision whether to issue a CPU throttling request may dependent on what and how the administrator wishes to control. For example, if the traffic intensity generated by an application is high and CPU can potentially be exhausted by performing the packet processing, the administrator may want to throttle the CPU utilization. To do so, the administrator may issue a CPU throttling request. Issuing the CPU throttling request will impose a maximum allocation of CPU resources for data traffic processing, and the remaining CPU resources to other time-critical applications.

FIG. 3A is a block diagram for determining whether to allocate CPU resources to tasks based on a CPU throttling mode or a default mode. In step 302, a hypervisor determines whether a CPU throttling request has been received for a data flow. The request may specify the data flow to which the CPU utilization throttling applies, and a CPU utilization level that is desired, but need not be exceeded, for processing data packets of the data flow.

If, in step 303, the hypervisor determines that the CPU throttling request has been received for the data flow, then step 304 is performed. Otherwise, step 305 is performed.

In step 304, a CPU throttling mode is applied to processing data packets that belong to the data flow, and subsequently, the steps described in FIG. 2 are performed.

However, if the hypervisor determines that the CPU throttling request has not been received for the data flow, then, in step 305, the data flow is processed in the best effort mode in which the CPU allocates resources to the packet processing in the best-effort fashion.

7. Determining a Rate Limit in a CPU Throttling Mode

FIG. 3B is an example flow chart for determining a rate limit in a CPU throttling mode. The depicted flow chart provides the details for computing the rate limit. The rate limit is used in step 220 of FIG. 2.

For the purpose of explaining the steps in FIG. 3B, it is assumed that a CPU throttling request for a data flow has been received, and a data packet of the data flow has been detected.

In step 310, a hypervisor extracts a CPU utilization level from a CPU throttling request received from a user or an administrator for the data flow. This may include processing a header of the packet, identifying a payload length in the header, and determining the packet size as a sum of a length of the packet header and the payload length.

A CPU utilization level extracted from the CPU throttling request is expressed as a percentage value, and is usually less than 100%. The CPU utilization level is the maximum of the CPU utilization that the user or the administrator requests to have allocated to processing of the user's or the administrator's data flow. The CPU utilization level is used by the hypervisor as a guidance to provide no more than the CPU utilization level of the CPU resources to the data flow generated as for example, a virtual machine is executed.

In step 320, the hypervisor determines a packet size of the detected data packet. Also in this step, it is determined whether the detected data packet is encrypted or not.

Determining whether the packet is encrypted or not allows selecting a particular table that may be used to determine the rate limit for the packet. Typically, the rate limits for encrypted packets are different than the rates for the unencrypted packets. If the packet is encrypted, then a rate limit table for encrypted data packets is used. If the packet is unencrypted, then a rate limit table for unencrypted data packet is used. The reason for having two separate types of rate limit tables is that the processing encrypted data packets is different than the processing unencrypted data packets, and therefore, the rates in which the encrypted data packets are processed are different from the rates in which the unencrypted data packets are processed.

If it is determined, in step 330, that the detected packet is encrypted, then step 350 is performed. Otherwise, step 340 is performed. Determination of whether a packet is encrypted or not can be performed by checking the header. For example, a protocol number of 50 or 99 in the IP header may indicate an encrypted packet.

Step 350 is performed when it is determined that the detected packet is encrypted. In this step, the hypervisor determines whether, for the packet size of the detected packet and for the CPU utilization level extracted from the CPU throttling request, an exact rate limit is present in the rate limit table for the encrypted data packets.

If, in step 352, it is determined that the exact rate limit is present in the rate limit table for the encrypted data packets, then, in step 354 the exact rate limit is extracted from the table.

FIG. 4 depicts an example rate limit table. The depicted rate limit table 420 is for encrypted data packets. A similar rate limit table may be generated for unencrypted data packets as well.

Example rate limit table 420 is a data structure, such as data table, and is used to store rate limit values for different sizes of data packets, and different CPU utilization levels. Example rate limit table 420 may include, for example columns and rows: the columns may be labeled using CPU utilization levels, and rows may be labeled using packet sizes. Examples of packet sizes may include 512 bytes, 1024 bytes, 2048 bytes, and so forth. Examples of CPU utilization levels may include 10%, 20%, 30, 40%, and so forth. In the depicted example, a row 422 includes the CPU utilization levels for encrypted data packets that contain 512 bytes, while a row 424 includes the CPU utilization levels for encrypted data packets that contain 1024 bytes. Information included in example rate limit table 420 for encrypted data packets is provided to illustrate a clear example of the table, and not to correspond to actual traffic data.

Suppose that it is determined that a packet size if 512 bytes and the requested CPU utilization level is 30%. Example rate limit table 420 for encrypted data packets includes row 422 for that packet size, and row 422 includes an entry 426 for that CPU utilization level. Therefore, for the packet size of 512 bytes and the requested CPU utilization level of 30%, the hypervisor may extract from entry 426 of example rate limit table 420 the value of 25.

Referring again to FIG. 3B, if, in step 352, it is determined that an exact rate limit is not present in the rate limit table for the encrypted data packet, then, in step 356, a rate limit is computed by approximating two rate limits extracted from the rate limit table for the encrypted data packets.

Suppose that it is determined that a packet size is 1024 bytes and the requested CPU utilization level is 25%. Example rate limit table 420 for encrypted data packets includes row 424 for that packet size. However, row 424 does not include an entry for that CPU utilization level. But, row 424 includes an entry 428 for 20% of CPU utilization level and an entry 429 for 30% of CPU utilization level. Therefore, for the packet size of 1024 bytes and the requested CPU utilization level of 25%, the hypervisor may extract entries 428 and 429, compute an average value based on the entries 428-429, and use the computed average value as an approximated rate limit. In this example, the approximated rate limit is 30 bytes/μsec because ((25+35)/2)=30.

Step 340 is performed when it is determined that the detected packet is unencrypted. In this step, the hypervisor determines whether, for the packet size of the detected packet and for the CPU utilization level extracted from the CPU throttling request, an exact rate limit is present in a rate limit table for unencrypted data packets.

A rate limit table for unencrypted data packets may be a data structure, such as data table, and is used to store rate limit values for different sizes of unencrypted data packets, and different CPU utilization levels. The table may include, for example columns and rows: the columns may be labeled using CPU utilization levels, and rows may be labeled using packet sizes. The rate limit table for unencrypted data packets may be organized as a rate limit table for encrypted data packets, except it will include rates that are specific to unencrypted data packets.

If in step 342 it is determined that an exact rate limit is present in the rate limit table for unencrypted data packets, then, in step 344, the exact rate limit is extracted from the table. For example, if the packet size is 512 bytes, the requested CPU utilization level is 20%, and the rate limit table for unencrypted data packets includes an entry for that packet size and that CPU utilization level, then the exact rate limit value may be extracted from the rate limit table for unencrypted data packets.

However, if in step 342 it is determined that an exact rate limit is absent from the rate limit table for unencrypted data packet, then, in step 346, a rate limit is computed by computing an average of two rate limits extracted from the rate limit table for unencrypted data packets. For example, if the packet size is 512 bytes and the requested CPU utilization level is 25%, and the rate limit table for the unencrypted data packets includes one entry for that packet size and the CPU utilization level of 20%, and another entry for that packet size and the CPU utilization level of 30%, then an approximated rate limit value may be computed as an average value of the two rates.

In step 360, the determined rate limit is returned. The determined rate limit may either the exact rate limit determined in step 344 or step 354, or the approximated rate limit computed in step 346 or step 356. The determined rate limit may be used in step 230 of FIG. 2 to determine an adjusted current bucket size.

8. Improvements Provided by Certain Embodiments

In an embodiment, the techniques described herein allow throttling the CPU utilization for data flow processing so that both, the data flow and other tasks/applications receive some CPU resources. The throttling may be initiated when a control plane or a hypervisor receives a CPU throttling request from a user or an administrator. The CPU throttling request specifies a CPU utilization level that is not to be exceeded by the data flow processing.

A CPU utilization level specified in a CPU throttling request corresponds to a desired CPU utilization level for processing the data traffic. The desired CPU utilization level included in the request is usually less than 100% so that the remaining portion of the CPU resources (not allocated for processing the data traffic) may be allocated to other tasks and applications.

To guarantee a desired CPU utilization level for the data traffic, a hypervisor determines, on a per-packet-basis, whether a detected packet is to be dropped or transmitted toward its destination. For example, if transmitting a detected data packet toward its destination would require exceeding the desired CPU utilization level requested by a user or an administrator for a data flow, then the hypervisor may recommend dropping the packet. Otherwise, the data packet may be transmitted toward its destination.

The approach may be implemented along any part of a datapath of the data packet communications. For example, the approach may be implemented at a point of the datapath that is between a virtual machine and a virtual switch. The approach may also be implemented along the datapath that is internally processed by the virtual switch. Furthermore, the approach may be implemented at a point of the datapath that is between hardware components and a hypervisor. Therefore, the CPU utilization may be throttled along different portion of the datapath for the data flow.

9. Implementation Mechanisms

The present approach may be implemented using a computing system comprising one or more processors and memory. The one or more processors and memory may be provided by one or more hardware machines. A hardware machine includes a communications bus or other communication mechanisms for addressing main memory and for transferring data between and among the various components of hardware machine. The hardware machine also includes one or more processors coupled with the bus for processing information. The processor may be a microprocessor, a system on a chip (SoC), or other type of hardware processor.

Main memory may be a random-access memory (RAM) or other dynamic storage device. It may be coupled to a communications bus, and used for storing information and software instructions to be executed by a processor. Main memory may also be used for storing temporary variables or other intermediate information during execution of software instructions to be executed by one or more processors.

10. General Considerations

Although some of various drawings may illustrate a number of logical stages in a particular order, stages that are not order dependent may be reordered and other stages may be combined or broken out. While some reordering or other groupings may be specifically mentioned, others will be obvious to those of ordinary skill in the art, so the ordering and groupings presented herein are not an exhaustive list of alternatives. Moreover, it should be recognized that the stages could be implemented in hardware, firmware, software or any combination thereof.

The foregoing description, for purpose of explanation, has been described regarding specific embodiments. However, the illustrative embodiments above are not intended to be exhaustive or to limit the scope of the claims to the precise forms disclosed. Many modifications and variations are possible in view of the above teachings. The embodiments were chosen to best explain the principles underlying the claims and their practical applications, to thereby enable others skilled in the art to best use the embodiments with various modifications as are suited to the uses contemplated.

In the foregoing specification, embodiments of the approach have been described with reference to numerous specific details that may vary from implementation to implementation. The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. The sole and exclusive indicator of the scope of the approach, and what is intended by the applicants to be the scope of the approach, is the literal and equivalent scope of the set of claims that issue from this application, in the specific form in which such claims issue, including any subsequent correction.

Any definitions set forth herein for terms contained in the claims may govern the meaning of such terms as used in the claims. No limitation, element, property, feature, advantage or attribute that is not expressly recited in a claim should limit the scope of the claim in any way. The specification and drawings are to be regarded in an illustrative rather than a restrictive sense.

As used herein the terms “include” and “comprise” (and variations of those terms, such as “including,” “includes,” “comprising,” “comprises,” “comprised” and the like) are intended to be inclusive and are not to exclude further features, components, integers or steps.

References in this document to “an embodiment,” indicate that the embodiment described or illustrated may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described or illustrated in connection with an embodiment, it is believed to be within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly indicated.

Various features of the disclosure have been described using process steps. The functionality/processing of a given process step could potentially be performed in different ways and by different systems or system modules. Furthermore, a given process step could be divided into multiple steps and/or multiple steps could be combined into a single step. Furthermore, the order of the steps can be changed without departing from the scope of the present disclosure.

It will be understood that the embodiments disclosed and defined in this specification extend to alternative combinations of the individual features and components mentioned or evident from the text or drawings. These different combinations constitute various alternative aspects of the embodiments. 

What is claimed is:
 1. A method for a hypervisor to throttle CPU utilization upon receiving a CPU utilization throttling request for a data flow, the method comprising: receiving a request for a CPU utilization throttling, wherein the request includes at least a CPU utilization level and a data flow identifier of a data flow to which the CPU utilization throttling is to be applied; detecting, at a certain point along a datapath, a data packet that belongs to the data flow identified by the data flow identifier; determining a packet size of the data packet; accessing a rate limit table to determine, based on the CPU utilization level and the packet size, a rate limit for the data packet; determining, based at least in part on the rate limit, whether the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination; and in response to determining that the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination, generating a recommendation to drop the data packet, causing the data packet to be dropped.
 2. The method of claim 1, wherein determining, based on the rate limit, whether the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination comprises: determining an arrival time at which the data packet was detected at the certain point of the datapath; determining a last arrival time at which a previous data packet was detected; determining a current bucket size and a bucket capacity of a bucket associated with a CPU resource dedicated to a processing of the data flow; wherein the current bucket size indicates a size of the bucket at the arrival time; wherein the bucket capacity indicates a maximum size of the bucket; computing a count of tokens that have been returned to the bucket by the arrival time; wherein computing the count of tokens comprises determining a product of the rate limit and a difference between the last arrival time and the arrival time; computing an updated current bucket size by adding the count of tokens to the current bucket size; determining an adjusted current bucket size by selecting a minimum of the bucket capacity and the updated current bucket size; determining whether the packet size exceeds the adjusted current bucket size; and in response to determining that the packet size exceeds the adjusted current bucket size, determining that the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination.
 3. The method of claim 2, further comprising: in response to determining that the packet size does not exceed the adjusted current bucket size, determining that the CPU utilization level for the data flow would not be exceeded if the data packet is transmitted toward its destination.
 4. The method of claim 1, further comprising: in response to determining that the CPU utilization level for the data flow would not be exceeded if the data packet is transmitted toward its destination, generating a recommendation to allow a transmission of the data packet.
 5. The method of claim 1, wherein accessing the rate limit table to determine, based on the CPU utilization level and the packet size, the rate limit for the data packet comprises: determining whether the data packet is encrypted; in response to determining that the data packet is encrypted, accessing a rate limit table for encrypted data packets, to determine the rate limit from the rate limit table for the encrypted data packets, and based on the CPU utilization level and the packet size; and in response to determining that the data packet is unencrypted, accessing a rate limit table for unencrypted data packets, to determine the rate limit from the rate limit table for the unencrypted data packets, and based on the CPU utilization level and the packet size.
 6. The method of claim 1, wherein accessing the rate limit table to determine, based on the CPU utilization level and the packet size, the rate limit for the data packet comprises: identifying, in the rate limit table, two utilization level entries that are indexed using the packet size and that correspond to two utilization levels that are close to the CPU utilization level extracted from the data packet; computing an average value from the two utilization level entries; and returning the average value as the rate limit.
 7. The method of claim 1, wherein the request for the CPU utilization throttling is communicated to the hypervisor by a control plane.
 8. One or more non-transitory computer-readable storage media storing one or more computer instructions which, when executed by one or more processors, cause the one or more processors to perform: receiving a request for a CPU utilization throttling; wherein the request includes at least a CPU utilization level and a data flow identifier of a data flow to which the CPU utilization throttling is to be applied; detecting, at a certain point along a datapath, a data packet that belongs to the data flow identified by the data flow identifier; determining a packet size of the data packet; accessing a rate limit table to determine, based on the CPU utilization level and the packet size, a rate limit for the data packet; determining, based on the rate limit, whether the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination; and in response to determining that the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination, generating a recommendation to drop the data packet.
 9. The one or more non-transitory computer-readable storage media of claim 8, storing additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: determining an arrival time at which the data packet was detected at the certain point of the datapath; determining a last arrival time at which a previous data packet was detected; determining a current bucket size and a bucket capacity of a bucket associated with a CPU resource dedicated to a processing of the data flow; wherein the current bucket size indicates a size of the bucket at the arrival time; wherein the bucket capacity indicates a maximum size of the bucket; computing a count of tokens that have been returned to the bucket by the arrival time; wherein computing the count of tokens comprises determining a product of the rate limit and a difference between the last arrival time and the arrival time; computing an updated current bucket size by adding the count of tokens to the current bucket size; determining an adjusted current bucket size by selecting a minimum of the bucket capacity and the updated current bucket size; determining whether the packet size exceeds the adjusted current bucket size; and in response to determining that the packet size exceeds the adjusted current bucket size, determining that the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination.
 10. The one or more non-transitory computer-readable storage media of claim 9, storing additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: in response to determining that the packet size does not exceed the adjusted current bucket size, determining that the CPU utilization level for the data flow would not be exceeded if the data packet is transmitted toward its destination.
 11. The one or more non-transitory computer-readable storage media of claim 8, storing additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: in response to determining that the CPU utilization level for the data flow would not be exceeded if the data packet is transmitted toward its destination, generating a recommendation to allow a transmission of the data packet.
 12. The one or more non-transitory computer-readable storage media of claim 8, storing additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: determining whether the data packet is encrypted; in response to determining that the data packet is encrypted, accessing a rate limit table for encrypted data packets, to determine the rate limit from the rate limit table for the encrypted data packets, and based on the CPU utilization level and the packet size; and in response to determining that the data packet is unencrypted, accessing a rate limit table for unencrypted data packets, to determine the rate limit from the rate limit table for the unencrypted data packets, and based on the CPU utilization level and the packet size.
 13. The one or more non-transitory computer-readable storage media of claim 8, storing additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: identifying, in the rate limit table, two entries that are indexed using the packet size and that correspond to two utilization levels that are close to the CPU utilization level extracted from the data packet; computing an average value from the two entries; and returning the average value as the rate limit.
 14. The one or more non-transitory computer-readable storage media of claim 8, wherein the request for the CPU utilization throttling is communicated to a hypervisor by a control plane.
 15. A hypervisor implemented in a host computer and configured to implement a rule processing and enforcement for interleaved Layer 4, Layer 7 and verb-based rulesets, the hypervisor comprising: one or more processors; one or more memory units; and one or more non-transitory computer-readable storage media storing one or more computer instructions which, when executed by the one or more processors, cause the one or more processors to perform: receiving a request for a CPU utilization throttling; wherein the request includes at least a CPU utilization level and a data flow identifier of a data flow to which the CPU utilization throttling is to be applied; detecting, at a certain point along a datapath, a data packet that belongs to the data flow identified by the data flow identifier; determining a packet size of the data packet; accessing a rate limit table to determine, based on the CPU utilization level and the packet size, a rate limit for the data packet; determining, based on the rate limit, whether the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination; and in response to determining that the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination, generating a recommendation to drop the data packet.
 16. The hypervisor of claim 15, wherein the one or more non-transitory computer-readable storage media store additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: determining an arrival time at which the data packet was detected at the certain point of the datapath; determining a last arrival time at which a previous data packet was detected; determining a current bucket size and a bucket capacity of a bucket associated with a CPU resource dedicated to a processing of the data flow; wherein the current bucket size indicates a size of the bucket at the arrival time; wherein the bucket capacity indicates a maximum size of the bucket; computing a count of tokens that have been returned to the bucket by the arrival time; wherein computing the count of tokens comprises determining a product of the rate limit and a difference between the last arrival time and the arrival time; computing an updated current bucket size by adding the count of tokens to the current bucket size; determining an adjusted current bucket size by selecting a minimum of the bucket capacity and the updated current bucket size; determining whether the packet size exceeds the adjusted current bucket size; and in response to determining that the packet size exceeds the adjusted current bucket size, determining that the CPU utilization level for the data flow would be exceeded if the data packet is transmitted toward its destination.
 17. The hypervisor of claim 16, wherein the one or more non-transitory computer-readable storage media store additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: in response to determining that the packet size does not exceed the adjusted current bucket size, determining that the CPU utilization level for the data flow would not be exceeded if the data packet is transmitted toward its destination.
 18. The hypervisor of claim 15, wherein the one or more non-transitory computer-readable storage media store additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: in response to determining that the CPU utilization level for the data flow would not be exceeded if the data packet is transmitted toward its destination, generating a recommendation to allow a transmission of the data packet.
 19. The hypervisor of claim 15, wherein the one or more non-transitory computer-readable storage media store additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: determining whether the data packet is encrypted; in response to determining that the data packet is encrypted, accessing a rate limit table for encrypted data packets, to determine the rate limit from the rate limit table for the encrypted data packets, and based on the CPU utilization level and the packet size; and in response to determining that the data packet is unencrypted, accessing a rate limit table for unencrypted data packets, to determine the rate limit from the rate limit table for the unencrypted data packets, and based on the CPU utilization level and the packet size.
 20. The hypervisor of claim 15, wherein the one or more non-transitory computer-readable storage media store additional instructions which, when executed by the one or more processors, cause the one or more processors to perform: identifying, in the rate limit table, two entries that are indexed using the packet size and that correspond to two utilization levels that are close to the CPU utilization level extracted from the data packet; computing an average value from the two entries; and returning the average value as the rate limit. 